Steering Committee Meeting
Last week’s open SC meeting started with discussing who can make requests of the CNCF. The SC decided that we can set reasonable thresholds for non-SC leaders to ask the CNCF for resources, and started drafting those. Paris Pittman submitted a PR for rationalizing governance across SIGs. WGs and UGs will get reviewed later. There was also an update on SIG Charters; some still need to be approved, and others now need revision.
The rest of the meeting was a discussion of Slack moderation, where we are in a bit of a bind. Everyone wants to keep Slack open for the whole community, but nobody believes that we can get enough moderators (25+) to make that safe. The SC plans to create a group to work on this, and in the meantime new Slack registrations remain closed.
Next Deadline: CODE FREEZE, March 7th
Last week was week 8 of 1.14. As mentioned, there is no Code Slush for 1.14. If you have an enhancement, make sure it is ready to land, including tests and docs. Speaking of tests, all fails and flakes are about to become priority/critical-urgent.
To improve the release notes, Jeffrey Sica made a release notes website. Try to make relase notes about the release.
There were no minor release last week.
For a long time client-go has offered unversioned clients like
clientset.Core(). They were always risky to use as they would simply default to the latest version of the relevant API, meaning if you upgraded your libraries it could silently break compatibility. Versioned interfaces like
clientset.AppsV1() solve this, and have been recommended since they were added. Out with the old and in with the new, the unsafe, unversioned interfaces have now been removed. If you’ve been putting off that particular code cleanup, now is the time.
Previously any user, including unauthenticated connections, were allowed access to the discovery and access review APIs. This would allow anyone to run tools like
kubectl auth can-i even without credentials. Given the relatively minimal benefits of this, moving forward these permissions will not be included by default in new clusters. It is recommended that existing clusters be hardened by removing
system:unauthenticated from the
system:basic-user cluster role bindings.
Rejoice multi-tailers, kubectl logs will now be able to natively follow logs from multiple pods using
-l to provide a label selector and
-f to enable follow mode. There’s been lots of great tools to provide this feature over the years but it’s good to get a version of it included by default to improve the out of box experience.
kubectl logs -l app=logging_test --all-containers -f
A follow up to #73033 from a few weeks ago, several kubectl commands now support direct Kustomize integration. Rather than
kubectl kustomize build . | kubectl apply -f -, you can do
kubectl apply -k .. As mentioned last time, this is a great step towards having workflow tools available out of the box.
- many metrics names are being converted from “latency” to “duration”, as a breaking change, for better Prometheus integration
- our OpenAPI supports nullable values now
- make short cert expiration cycles more granular for monitoring
- stop creating kubeapi endpoints before the APIserver is ready
- admission webhook timeouts are shorter and default to 30s
- support automatically provisioning CSI storage drivers so that we can migrate from in-tree to CSI storage
- change handling of kubeadm flag settings to distinguish between user-supplied and default config paths
- PodPreset now affects init containers
- alpha reflector metrics were just removed because of a memory leak
- the mount propogation feature gate is gone
kubeadm alpha kubeconfighas been removed
- golang is 1.12 in master, backports to earlier Kubernetes versions pending tests